Hello, I have been trying to set up a master wifi with VPN (LAN) together with another one without VPN (GUEST). No luck so far.
What I can say is that both master and guest wifi work when there is no VPN, but as soon as I turn on VPN the master works with VPN while the GUEST doesn't have access to internet.
I have included some rules in the firewall, but they don't seem to help. In case it helps, I have a Linksys1900acs and this is my /etc/config/firewall file:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN'
option output 'ACCEPT'
option network 'VPN'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'Guest'
option input 'REJECT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '51194'
option name 'OpenVPN'
option src '*'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'VPN'
option src 'lan'
I am not sure if you have done it, but you need to specify a PBR rule to forward all guest traffic to wan interface, otherwise as soon as the vpn comes up, routing will push everything towards the vpn.
Take a look at this topic describing the same problem.
I just tried that, but I didn't specify gateways so it got off. I am a noob with command lines and internet specifications. But I saw this post too, where they say that these type of set ups stopped working with the new firmware: Guest wifi with OpenVPN not working after 18.06-rc1
So, I don't know anymore if it is possible to do it... with new firmware, new packages.
Btw, now I have the code you shared implemented in /etc/config/network and now the guest wifi is there, but not available, independently of whether I switched VPN on or not. So, I guess it is better than before, since now I specify that it has to connect directly to wan, but it still doesn't provide internet. There must be something it can be done.
Please post here the output of the following command, all in one line cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
With the exception of the wan IP address, all other IPs are private and there is no need to mask them with x.x.x.x
Other than that did you restart the network service after adding these? service network restart
Do you have installed ip-full? opkg list-installed | grep ip-full
Is the gateway properly installed for the new routing table? ip ro ls table 2
Do you use also IPv6 over the VPN tunnel?
From a host connected to guest network can you try the following:
Does it resolve and address? nslookup openwrt.org
Which path does it follow? tracert 1.1.1.1 for windows or traceroute 1.1.1.1 for linux/mac
Do you get any replies when you ping the guest IP of the router?
Which path does it follow? tracert 1.1.1.1 for windows or traceroute 1.1.1.1 for linux/mac
I share the outcome with x.x.x.x (sorry, I don't know what should be private vs what not, still learning)
1 x.x.x.x (x.x.x.x) 1.277 ms 1.383 ms 1.498 ms
2 * * *
3 x.x.x.x (x.x.x.x) 10.150 ms 11.235 ms 3.903 ms
4 0-14-0-3-cgw01.websitecompany.com (209.148.233.161) 11.141 ms 3006-cgw01.websitecompany.com (x.x.x.x) 14.444 ms 0-14-0-3-cgw01.x.x.net.x.com (x.x.x.x) 8.966 ms
5 x.x.x.x (x.x.x.x) 9.855 ms x.x.x.x (x.x.x.x) 13.842 ms x.x.x.x (x.x.x.x) 11.562 ms
6 * * *
7 one.one.one.one (1.1.1.1) 11.409 ms 9.806 ms 9.635 ms
Do you get any replies when you ping the guest IP of the router?
Yes, there are replies. I also checked with facebook, and they are replies as well. But it is not available neither in android or linux laptop
Sorry, I was mistaken about one thing. I didn't check the traceroute from computer session but from router session.
I actually have problems with traceroute, but not with ping to the router ipaddr from my session connected to wifi. I get this:
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 OpenWrt.lan (x.x.x.x) 110.667 ms 110.666 ms 110.737 ms
2 x.x.x.x (x.x.x.x) 3185.318 ms !H 3185.360 ms !H 3185.485 ms !H
Private addresses are 10.x.x.x, 172.16-31.x.x and 192.168.x.x
Repost everything because I cannot understand what is going on here with all these masked IP addresses.
Don't mask IP addresses in traceroute!
Hello, again!
I installed some packages required for vpnbypass and I got vpnbypass working, so I don't need the wifi guest anymore. But! for the sake of understanding the problem, I continue posting
I installed and replaced some packages for vpnbypass:
And now I am getting this outcome from host connected to guest network.
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 OpenWrt.lan (192.168.x.x) 3.991 ms 3.987 ms 4.110 ms
2 192.168.x.x (192.168.x.x) 3136.429 ms !H 3136.449 ms !H 3136.550 ms !H
Not more than that.
PS: The traceroute I sent before was from machine with proper connection to internet, so it is not relevant for this.
OpenWrt.lan is your router. I don't know what 192.168.0.14 is.
Go back to this post and upload again the output without masking the IPs. Change slighty the MACs if you are concerned and the IP of eth1.2 (wan).
I stopped trying to set the independent extra wifi without VPN. I don't need it anymore. Too much work. And the previous post was not about the wifi I want to set up. It was about the connection you get with ethernet in the router. Thanks a lot for all the help!